Public Interest Representation in Privacy and Telecommunications: A Tale of Two Results

Telecommunications was the original battleground of privacy. There were famous fights in Parliament and the courts in the 1970s and 1980s over obtaining telephone wiretaps to listen to conversations: the legacy of RCMP efforts to track sovereigntists (or “separatists” if you prefer) but less well-known were battles over who could see your calling records (what number you called, for how long, and where that number was located).

The Canadian Radio-television and Telecommunications Commission (CRTC) protected the privacy of consumers’ calling records, in part because consumer and public interest representatives appeared at their hearings and argued it was no one’s business whom you called (short of criminal charges) and no marketing or other company should see your call records. The phone companies were generally happy to protect their customers’ confidentiality as essential to their service. The CRTC said no one else could get these records without your written, explicit consent.

Come the 2000s, and marketing had gotten better. Computers had made data more useful and data communications, even before the Internet was widely used, allowed easy transfer of call records or any other data your activities generated. The Federal Government consulted on privacy and marketing and passed a law known as the Personal Information Protection and Electronic Documents Act (PIPEDA), quite simply to protect your data in the “networked computer” (and later Internet) age.

Unfortunately, this was not so easy. It turns out networked computer use generated far more “metadata” (like calling records, metadata is data about the transmission, not the content) than phone calls. Internet platforms such as Google and Facebook learned that the metadata had predictive qualities, meaning they could sell those predictions to advertisers.

Similar to the phone records situation, the Office of the Privacy Commissioner of Canada (OPCC) was asked, under PIPEDA, in 2007, if Facebook’s policies allowed these third parties too much access to metadata. The OPCC agreed and tried to tell Facebook to change its practices, at least in Canada. Facebook effectively did not change the way it made personal information available to others. We got the Cambridge Analytica scandal out of this. Why?

Because the OPCC is not the CRTC. The CRTC has two things the OPCC does not: it has money for public interest advocates to participate in its proceedings (called “intervener cost awards”) and it has mandatory order-making powers (well, some at least, and only in Canada). Still, that is enough for the CRTC to have made rules blocking, for example, Bell Canada from monitoring most things its internet access customers do and using the metadata to sell ads (the “Bell Relevant Ads” decision). Needless to say, PIAC and others argued against Bell and for customer privacy and were assisted by the cost awards. The OPCC made a finding as well that Bell violated PIPEDA but it was the CRTC that stopped the Relevant Ads program.

What occurred there, therefore, is an A/B test. Provide consumer and public interest advocates with sufficient funds to argue for consumer privacy and give the regulator the teeth it needs, and privacy will be protected. Without both, not so much.